C3. Validate user input
What this page helps you do
Reduce bugs and abuse caused by bad input.
Why it matters
Users, bots, and broken clients will all send data your app did not expect.
You should already have
- forms, API routes, uploads, or other user input
Skip this page if
- the app truly accepts no user input
What to do
- validate inputs on the server side
- keep error messages clear enough for users
- do not trust browser-only checks
Recommended default
Validate at the boundary where data enters the server.
Common mistakes
- relying only on front-end checks
- accepting giant inputs with no size limits
- forgetting admin or internal tools still need validation
Next step
Go to C4. Reduce spam and abuse.
Related pages
Advanced notes
TODO for contributors: add examples of validating files, forms, and JSON payloads in simple language.